From ml at bartschnet.de Thu Aug 16 08:39:22 2018 From: ml at bartschnet.de (Rene 'Renne' Bartsch, B.Sc. Informatics) Date: Thu, 16 Aug 2018 10:39:22 +0200 Subject: [ksk-rollover] Current status of KSK-RollOver? Message-ID: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de> Hi, how are the chances to make the 10/11/2018 for the Root Zone KSK Rollover? Regards, Renne From paul.hoffman at icann.org Thu Aug 23 00:57:49 2018 From: paul.hoffman at icann.org (Paul Hoffman) Date: Thu, 23 Aug 2018 00:57:49 +0000 Subject: [ksk-rollover] ICANN Publishes Comprehensive Guide on What to Expect During the Root KSK Rollover Message-ID: Greetings again. Please see the announcement of a new guide at https://www.icann.org/news/announcement-2018-08-22-en and the guide itself at https://www.icann.org/en/system/files/files/ksk-rollover-expect-22aug18-en.pdf We welcome comments on the guide and its contents. --Paul Hoffman From cet1 at cam.ac.uk Thu Aug 23 11:12:30 2018 From: cet1 at cam.ac.uk (Chris Thompson) Date: 23 Aug 2018 12:12:30 +0100 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de> References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de> Message-ID: On Aug 16 2018, Rene 'Renne' Bartsch asked: >how are the chances to make the 10/11/2018 for the Root Zone KSK Rollover? and I suppose we can take the ICANN documents referenced in Paul's Hoffman's post today as part of an answer to that. Also the latest "Call for Participation" in ICANN 63 (20-25 October) includes this nugget: | 2. Post KSK Rollover | Following the Root Key Rollover, we would like to bring together a panel of | people who can talk about lessons learned from this KSK Rollover and lessons | learned for the next time which sounds almost hubristically confident. No mention of "or alternatively, we will talk about why we had to back off yet again". One thing mentioned in https://www.icann.org/news/blog/minimal-user-impact-expected-from-root-zone-key-signing-key-ksk-rollover from 18 July was | Looking forward, the ICANN org will soon reach out to the 1,000 Internet | Service Providers (ISPs) with the most active resolver traffic that suggests | DNSSEC validation has been enabled in order to ensure they aware that the | root KSK roll will occur on 11 October 2018. Those ISPs will also be surveyed | on their preparation plans for the rollover, which may cause those resolver | operators to become more aware of the KSK rollover. It would certainly be interesting if ICANN could tell us how well that project is going, confidentiality permitting. -- Chris Thompson Email: cet1 at cam.ac.uk From matt.larson at icann.org Thu Aug 23 13:44:55 2018 From: matt.larson at icann.org (Matt Larson) Date: Thu, 23 Aug 2018 13:44:55 +0000 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de> References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de> Message-ID: On Aug 16, 2018, at 4:39 AM, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover > wrote: how are the chances to make the 10/11/2018 for the Root Zone KSK Rollover? The ICANN staff on the root KSK roll project are working to provide the Board with appropriate information so they can make an informed decision. As for the chances of the rollover proceeding on schedule, it would be inappropriate for us to predict the ICANN Board's actions. On Aug 23, 2018, at 7:12 AM, Chris Thompson > wrote: On Aug 16 2018, Rene 'Renne' Bartsch asked: how are the chances to make the 10/11/2018 for the Root Zone KSK Rollover? and I suppose we can take the ICANN documents referenced in Paul's Hoffman's post today as part of an answer to that. Also the latest "Call for Participation" in ICANN 63 (20-25 October) includes this nugget: | 2. Post KSK Rollover | Following the Root Key Rollover, we would like to bring together a panel of | people who can talk about lessons learned from this KSK Rollover and lessons | learned for the next time which sounds almost hubristically confident. No mention of "or alternatively, we will talk about why we had to back off yet again". I think our optimistic position for ICANN63 planning purposes is reasonable and I would not characterize it as "hubristically confident" (though I'm going to remember that expression and use it some day!). Certainly if the KSK roll is postponed, that would change the content of post-11 October meetings. One thing mentioned in https://www.icann.org/news/blog/minimal-user-impact-expected-from-root-zone-key-signing-key-ksk-rollover from 18 July was | Looking forward, the ICANN org will soon reach out to the 1,000 Internet | Service Providers (ISPs) with the most active resolver traffic that suggests | DNSSEC validation has been enabled in order to ensure they aware that the | root KSK roll will occur on 11 October 2018. Those ISPs will also be surveyed | on their preparation plans for the rollover, which may cause those resolver | operators to become more aware of the KSK rollover. It would certainly be interesting if ICANN could tell us how well that project is going, confidentiality permitting. We kicked off this survey last Tuesday (21 August), when we sent ~4000 email messages to the contacts listed in the RIR databases for 2552 ASNs. These networks represent traffic from DNSSEC-aware recursive resolvers that serve 99.5% of the end-user device IPs in APNIC's Google Ad-based data set. (Thanks to Geoff Huston at APNIC for his help here!). Our threshold for backing out of the KSK rollover is a negative impact affecting 0.5% of Internet users, hence our messages to networks responsible for serving 99.5%. This seemed as good of a place as any to make the cutoff decision for whom to survey. The emails we sent serve both as a notification of the rollover and a request to take a survey to assess readiness for the rollover. The survey will run for two weeks, completing just in time to provide the results to the Board to aid in their decision-making process about proceeding with the rollover. Matt -- Matt Larson, VP of Research ICANN Office of the CTO -------------- next part -------------- An HTML attachment was scrubbed... URL: From ml at bartschnet.de Tue Aug 28 08:27:44 2018 From: ml at bartschnet.de (Rene 'Renne' Bartsch, B.Sc. Informatics) Date: Tue, 28 Aug 2018 10:27:44 +0200 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de> Message-ID: Am 23.08.18 um 15:44 schrieb Matt Larson: > > We kicked off this survey last Tuesday (21 August), when we sent ~4000 email messages to the contacts listed in the RIR databases for 2552 ASNs. These networks represent traffic from DNSSEC-aware recursive resolvers that serve 99.5% of the end-user device IPs in APNIC's Google Ad-based data set. (Thanks to Geoff Huston at APNIC for his help here!). Our threshold for backing out of the KSK rollover is a negative impact affecting 0.5% of Internet users, hence our messages to networks responsible for serving 99.5%. This seemed as good of a place as any to make the cutoff decision for whom to survey. The emails we sent serve both as a notification of the rollover and a request to take a survey to assess readiness for the rollover. The survey will run for two weeks, completing just in time to provide the results to the Board to aid in their decision-making process about proceeding with the rollover. > I suggest a cooperation with big anycast DNS resolver operators like Cloudflare DNS, Google Public DNS, Quad9, etc. to publish their resolver IPs in the news as a fallback for end-users in case their ISP messes up DNSSEC. Additionally I suggest to ask router vendors to publish model-specific step-by-step guides how to change the resolver IPs. As internet will fail in such cases the guides should be printable (e.g. PDF-A). ;-) Renne From bortzmeyer at nic.fr Tue Aug 28 08:37:55 2018 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 28 Aug 2018 10:37:55 +0200 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>

Message-ID: <20180828083755.pkjhxz22as34rdl4@nic.fr> On Tue, Aug 28, 2018 at 10:27:44AM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover wrote a message of 14 lines which said: > I suggest a cooperation with big anycast DNS resolver operators like > Cloudflare DNS, Google Public DNS, Quad9, etc. to publish their > resolver IPs in the news as a fallback for end-users I strongly oppose the idea of promoting big US data silos as an alternative to the ISP resolver. (Also, while this is less important, I think it would blurr the message to the users and create unecessary FUD.) From dougb at dougbarton.email Tue Aug 28 16:50:35 2018 From: dougb at dougbarton.email (Doug Barton) Date: Tue, 28 Aug 2018 09:50:35 -0700 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: <20180828083755.pkjhxz22as34rdl4@nic.fr> References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>

<20180828083755.pkjhxz22as34rdl4@nic.fr> Message-ID: <6532e1f2-3c00-0f6a-d870-bddeec0dd5db@dougbarton.email> On 08/28/2018 01:37 AM, Stephane Bortzmeyer wrote: > On Tue, Aug 28, 2018 at 10:27:44AM +0200, > Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover wrote > a message of 14 lines which said: > >> I suggest a cooperation with big anycast DNS resolver operators like >> Cloudflare DNS, Google Public DNS, Quad9, etc. to publish their >> resolver IPs in the news as a fallback for end-users > > I strongly oppose the idea of promoting big US data silos as an > alternative to the ISP resolver. (Also, while this is less important, > I think it would blurr the message to the users and create unecessary > FUD.) +1 From mehmet at akcin.net Wed Aug 29 07:08:59 2018 From: mehmet at akcin.net (Mehmet Akcin) Date: Wed, 29 Aug 2018 00:08:59 -0700 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: <6532e1f2-3c00-0f6a-d870-bddeec0dd5db@dougbarton.email> References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>

<20180828083755.pkjhxz22as34rdl4@nic.fr> <6532e1f2-3c00-0f6a-d870-bddeec0dd5db@dougbarton.email> Message-ID: Hello everyone, I have been quiet for a while mostly observing, catching up with incredibly well written documentation by ICANN team. Great work. I wanted to chime in and support ICANN's decision on proceeding with the plan of rolling KSK 11 October 2018 as planned. I have put my thoughts in a blog https://www.kapany.net/blog/root-ksk-rollover - I want to be the first one to congratulate the ICANN team for their hard work and dedication on keeping Root Zone secure. Best regards Mehmet On Tue, Aug 28, 2018 at 9:50 AM Doug Barton wrote: > On 08/28/2018 01:37 AM, Stephane Bortzmeyer wrote: > > On Tue, Aug 28, 2018 at 10:27:44AM +0200, > > Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover < > ksk-rollover at icann.org> wrote > > a message of 14 lines which said: > > > >> I suggest a cooperation with big anycast DNS resolver operators like > >> Cloudflare DNS, Google Public DNS, Quad9, etc. to publish their > >> resolver IPs in the news as a fallback for end-users > > > > I strongly oppose the idea of promoting big US data silos as an > > alternative to the ISP resolver. (Also, while this is less important, > > I think it would blurr the message to the users and create unecessary > > FUD.) > > +1 > _______________________________________________ > ksk-rollover mailing list > ksk-rollover at icann.org > https://mm.icann.org/mailman/listinfo/ksk-rollover > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bortzmeyer at nic.fr Wed Aug 29 07:21:17 2018 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Wed, 29 Aug 2018 09:21:17 +0200 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>

<20180828083755.pkjhxz22as34rdl4@nic.fr> <6532e1f2-3c00-0f6a-d870-bddeec0dd5db@dougbarton.email> Message-ID: <20180829072117.37mvdl7wymzsfhmq@nic.fr> On Wed, Aug 29, 2018 at 12:08:59AM -0700, Mehmet Akcin wrote a message of 106 lines which said: > I wanted to chime in and support ICANN's decision on proceeding with > the plan of rolling KSK 11 October 2018 as planned. Me too, but can we say there was a decision? I understood that, less than two months before the event, it is still not "decided" (as in "decided by the management"). From mehmet at akcin.net Wed Aug 29 07:22:01 2018 From: mehmet at akcin.net (Mehmet Akcin) Date: Wed, 29 Aug 2018 00:22:01 -0700 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: <20180829072117.37mvdl7wymzsfhmq@nic.fr> References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>

<20180828083755.pkjhxz22as34rdl4@nic.fr> <6532e1f2-3c00-0f6a-d870-bddeec0dd5db@dougbarton.email> <20180829072117.37mvdl7wymzsfhmq@nic.fr> Message-ID: My understanding (correct me if I am mistaken here)... that they are proceeding as planned. On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer wrote: > On Wed, Aug 29, 2018 at 12:08:59AM -0700, > Mehmet Akcin wrote > a message of 106 lines which said: > > > I wanted to chime in and support ICANN's decision on proceeding with > > the plan of rolling KSK 11 October 2018 as planned. > > Me too, but can we say there was a decision? I understood that, less > than two months before the event, it is still not "decided" (as in > "decided by the management"). > -------------- next part -------------- An HTML attachment was scrubbed... URL: From icann at feherfamily.org Wed Aug 29 07:32:06 2018 From: icann at feherfamily.org (Kal) Date: Wed, 29 Aug 2018 17:32:06 +1000 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>

<20180828083755.pkjhxz22as34rdl4@nic.fr> <6532e1f2-3c00-0f6a-d870-bddeec0dd5db@dougbarton.email> <20180829072117.37mvdl7wymzsfhmq@nic.fr> Message-ID: <8AC16B3A-5754-4654-A18A-8A6C6C2D23C7@feherfamily.org> > On 29 Aug 2018, at 17:22, Mehmet Akcin wrote: > > My understanding (correct me if I am mistaken here)... that they are proceeding as planned. > No, the ICANN board will give a hopefully clear and emphatic go/no go decision at the next board meeting. >> On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer wrote: >> On Wed, Aug 29, 2018 at 12:08:59AM -0700, >> Mehmet Akcin wrote >> a message of 106 lines which said: >> >> > I wanted to chime in and support ICANN's decision on proceeding with >> > the plan of rolling KSK 11 October 2018 as planned. >> >> Me too, but can we say there was a decision? I understood that, less >> than two months before the event, it is still not "decided" (as in >> "decided by the management"). > _______________________________________________ > ksk-rollover mailing list > ksk-rollover at icann.org > https://mm.icann.org/mailman/listinfo/ksk-rollover -------------- next part -------------- An HTML attachment was scrubbed... URL: From mehmet at akcin.net Wed Aug 29 07:36:31 2018 From: mehmet at akcin.net (Mehmet Akcin) Date: Wed, 29 Aug 2018 00:36:31 -0700 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: <8AC16B3A-5754-4654-A18A-8A6C6C2D23C7@feherfamily.org> References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>

<20180828083755.pkjhxz22as34rdl4@nic.fr> <6532e1f2-3c00-0f6a-d870-bddeec0dd5db@dougbarton.email> <20180829072117.37mvdl7wymzsfhmq@nic.fr> <8AC16B3A-5754-4654-A18A-8A6C6C2D23C7@feherfamily.org> Message-ID: https://www.icann.org/en/system/files/files/ksk-rollover-expect-22aug18-en.pdf ?Currently planned for 11 October 2018..? I interpret this as ?we are moving forward? I might be wrong, but that?s my understanding.. On Wed, Aug 29, 2018 at 12:32 AM Kal wrote: > > > > > On 29 Aug 2018, at 17:22, Mehmet Akcin wrote: > > My understanding (correct me if I am mistaken here)... that they are > proceeding as planned. > > No, the ICANN board will give a hopefully clear and emphatic go/no go > decision at the next board meeting. > > On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer > wrote: > >> On Wed, Aug 29, 2018 at 12:08:59AM -0700, >> Mehmet Akcin wrote >> a message of 106 lines which said: >> >> > I wanted to chime in and support ICANN's decision on proceeding with >> > the plan of rolling KSK 11 October 2018 as planned. >> >> Me too, but can we say there was a decision? I understood that, less >> than two months before the event, it is still not "decided" (as in >> "decided by the management"). >> > _______________________________________________ > > > ksk-rollover mailing list > ksk-rollover at icann.org > https://mm.icann.org/mailman/listinfo/ksk-rollover > > _______________________________________________ > ksk-rollover mailing list > ksk-rollover at icann.org > https://mm.icann.org/mailman/listinfo/ksk-rollover > -- Mehmet +1-424-298-1903 -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.conrad at icann.org Wed Aug 29 07:42:14 2018 From: david.conrad at icann.org (David Conrad) Date: Wed, 29 Aug 2018 07:42:14 +0000 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>

<20180828083755.pkjhxz22as34rdl4@nic.fr> <6532e1f2-3c00-0f6a-d870-bddeec0dd5db@dougbarton.email> <20180829072117.37mvdl7wymzsfhmq@nic.fr> <8AC16B3A-5754-4654-A18A-8A6C6C2D23C7@feherfamily.org> <9717054D-F462-4F66-B169-84C4445E15CD@icann.org> Message-ID: <05c71f09-557c-9b4a-227b-24547a8698f7@posix.co.za> Domain incite wrote a piece on this.? http://domainincite.com/23353-icann-faces-critical-choice-as-security-experts-warn-against-key-rollover I understood from that article,? that SSAC generally agreed that the roll-over should happen but five (out of 22) were not in agreement. I also understand that the "risk" (of collateral damage)? is now acceptable. Personally, I hope the Board agrees to go ahead with the key-rollover. That Lithium battery inside the HSM with its five year life expectancy is in its sixth (or so) year? I'm actually eager to see what happens and expect almost no negative impact. I believe that the majority of Broken stuff in DNSSEC aware recursive resolvers will be fixed very quickly and sincerely hope no one goes around removing DS records. I live in South Africa where just under 50% (according to https://stats.labs.apnic.net/dnssec) of people use a DNSSEC aware recursive resolver. The ZACR (South African Central Registry) has done about 10 years of free DNS/DNSSEC teaching to the ISP community, which I was personally involved in. I'm obviously hoping for Zero issues. (I like to think that the 50% is somewhat due to those twice-a-year workshops :) On 08/29/2018 09:42 AM, David Conrad wrote: > Hi, > > The decision to move forward is on the agenda for the upcoming Board > workshop in Brussels on Sept 15. > > Staff is recommending moving forward based on the information we have, > however it is the Board that will be voting the final decision > regarding following the revised plan which proposing putting the new > KSK in use on 11 Oct 2018. > > We (staff) appreciate any input on the KSK rollover the community > might offer (we?re writing the Board resolution and supporting paper now). > > Regards, > -drc > >> On Aug 29, 2018, at 12:36 AM, Mehmet Akcin > > wrote: >> >> >> https://www.icann.org/en/system/files/files/ksk-rollover-expect-22aug18-en.pdf >> >> >> ?Currently planned for 11 October 2018..? I interpret this as ?we are >> moving forward?? >> >> I might be wrong, but that?s my understanding.. >> >> On Wed, Aug 29, 2018 at 12:32 AM Kal > > wrote: >> >> >> >> >> >> On 29 Aug 2018, at 17:22, Mehmet Akcin > > wrote: >> >>> My understanding (correct me if I am mistaken here)... that they >>> are proceeding as planned. >>> >> No, the ICANN board will give a hopefully clear and emphatic >> go/no go decision at the next board meeting.? >>> On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer >>> > wrote: >>> >>> On Wed, Aug 29, 2018 at 12:08:59AM -0700, >>> ?Mehmet Akcin > >>> wrote? >>> ?a message of 106 lines which said: >>> >>> > I wanted to chime in and support ICANN's decision on >>> proceeding with >>> > the plan of rolling KSK 11 October 2018 as planned. >>> >>> Me too, but can we say there was a decision? I understood >>> that, less >>> than two months before the event, it is still not "decided" >>> (as in >>> "decided by the management"). >>> >>> _______________________________________________ >>> >>> ksk-rollover mailing list >>> ksk-rollover at icann.org >>> https://mm.icann.org/mailman/listinfo/ksk-rollover >> _______________________________________________ >> ksk-rollover mailing list >> ksk-rollover at icann.org >> https://mm.icann.org/mailman/listinfo/ksk-rollover >> >> --? >> Mehmet >> +1-424-298-1903 >> _______________________________________________ >> ksk-rollover mailing list >> ksk-rollover at icann.org >> https://mm.icann.org/mailman/listinfo/ksk-rollover > > > > _______________________________________________ > ksk-rollover mailing list > ksk-rollover at icann.org > https://mm.icann.org/mailman/listinfo/ksk-rollover -- Mark James ELKINS - Posix Systems - (South) Africa mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za -------------- next part -------------- An HTML attachment was scrubbed... URL: From shane at time-travellers.org Wed Aug 29 11:06:54 2018 From: shane at time-travellers.org (Shane Kerr) Date: Wed, 29 Aug 2018 13:06:54 +0200 Subject: [ksk-rollover] Current status of KSK-RollOver? In-Reply-To: <05c71f09-557c-9b4a-227b-24547a8698f7@posix.co.za> References: <7aa80c26-dfc7-d4d0-e83f-09822fc2cc89@bartschnet.de>